You must have the grantRoleaction on the database a privilege targets in order to
grant the privilege. To grant a privilege on multiple databases or on the
cluster resource, you must have the grantRole action on
the admin database.

The first privilege permits users with this role to perform the
insertaction on all collections of
the products database, except the system collections. To access a system collection, a
privilege must explicitly specify the system collection in the resource
document, as in the second privilege.

The second privilege permits users with this role to perform the
findaction on the
product database’s system collection named system.js.